Re: Can we stop defaulting to 'ident'?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Craig Ringer <[email protected]>
To: Christoph Berg <[email protected]>
To: Stephen Frost <[email protected]>
To: Devrim Gündüz <[email protected]>
To: Craig Ringer <[email protected]>
To: pgsql-pkg-yum <[email protected]>
Subject: Re: Can we stop defaulting to 'ident'?
Date: Mon, 23 Dec 2019 14:06:18 +0800
Message-ID: <CAMsr+YEEjv_e=eP0W=LRFAKEMtgEs0jaHUZ7V3BgvQzCKu62eA@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <CAMsr+YFCuBGWh4=aM-K2LCsBEwcrqm=pphKKHEH09vHwXcspow@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>

On Fri, 20 Dec 2019 at 23:15, Christoph Berg <[email protected]> wrote:

> Re: Stephen Frost 2019-12-20 <[email protected]>
> > SCRAM is *definitely* better and I strongly support us moving to it,
> > provided it doesn't break anything existing (which it generally
> > shouldn't...  but maybe there's some weird edge cases, or possibly older
> > clients, but still, at some point, we need to move this default to be
> > SCRAM).
>
> TBH I haven't really read the manual section about md5-scram
> compatibility yet, but from memory, there's a lot of footnotes that
> need to be taken into account before the switch can be flipped, if
> upgrades from old servers are to be supported. The process sounds
> scary and painful.
>
>
Yeah. Everyone's already changing the setting after install or overriding
it at setup time anyway though, because 'ident' is so nonsensical hardly
anyone will be deploying with it.

We're not talking about changing the default from 'md5' to 'md5-scram'
which would be rather riskier.

And to be clear, I'm only proposing changing 'host' connections. 'local'
connections should remain 'peer' as is the case now.



-- 
 Craig Ringer                   http://www.2ndQuadrant.com/
 2ndQuadrant - PostgreSQL Solutions for the Enterprise

view thread (54+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Can we stop defaulting to 'ident'?
  In-Reply-To: <CAMsr+YEEjv_e=eP0W=LRFAKEMtgEs0jaHUZ7V3BgvQzCKu62eA@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox